Remove ciphers from DefaultTlsContext public constructors

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-07-02 15:14:27 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-07-03 15:14:05 +0200
commit: 76f07e1fdafcda1bcf1c178b2fc8d32b30d9b681 (patch)
tree: e5f8e9cc6a3269cd9c4120fc637b1428524f30d5 /security-utils
parent: 68d6d2452a134ae73b579a8726899240bd22d7c6 (diff)
3 files changed, 12 insertions, 9 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
index 9a1d2be537a..b2edf2f1ebc 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/DefaultTlsContext.java
@@ -33,14 +33,16 @@ public class DefaultTlsContext implements TlsContext {
                              PrivateKey privateKey,
                              List<X509Certificate> caCertificates,
                              AuthorizedPeers authorizedPeers,
-                             AuthorizationMode mode,
-                             Set<String> acceptedCiphers) {
-        this(createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode),
-             acceptedCiphers);
+                             AuthorizationMode mode) {
+        this(createSslContext(certificates, privateKey, caCertificates, authorizedPeers, mode));
     }
 
 
-    public DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers) {
+    public DefaultTlsContext(SSLContext sslContext) {
+        this(sslContext, TlsContext.ALLOWED_CIPHER_SUITES);
+    }
+
+    DefaultTlsContext(SSLContext sslContext, Set<String> acceptedCiphers) {
         this.sslContext = sslContext;
         this.validCiphers = getAllowedCiphers(sslContext, acceptedCiphers);
         this.validProtocols = getAllowedProtocols(sslContext);
@@ -50,7 +52,7 @@ public class DefaultTlsContext implements TlsContext {
     private static String[] getAllowedCiphers(SSLContext sslContext, Set<String> acceptedCiphers) {
         String[] supportedCipherSuites = sslContext.getSupportedSSLParameters().getCipherSuites();
         String[] validCipherSuites = Arrays.stream(supportedCipherSuites)
-                .filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && (acceptedCiphers.isEmpty() || acceptedCiphers.contains(suite)))
+                .filter(suite -> ALLOWED_CIPHER_SUITES.contains(suite) && acceptedCiphers.contains(suite))
                 .toArray(String[]::new);
         if (validCipherSuites.length == 0) {
             throw new IllegalStateException(
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
index 7dafd9130df..7e60abb2ee6 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/ReloadingTlsContext.java
@@ -21,6 +21,7 @@ import java.nio.file.Path;
 import java.security.KeyStore;
 import java.time.Duration;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
@@ -106,7 +107,8 @@ public class ReloadingTlsContext implements TlsContext {
                                 .map(authorizedPeers -> (X509ExtendedTrustManager) new PeerAuthorizerTrustManager(authorizedPeers, mode, mutableTrustManager))
                                 .orElseGet(() -> new PeerAuthorizerTrustManager(new AuthorizedPeers(Set.of()), AuthorizationMode.DISABLE, mutableTrustManager)))
                 .build();
-        return new DefaultTlsContext(sslContext, new HashSet<>(options.getAcceptedCiphers()));
+        List<String> acceptedCiphers = options.getAcceptedCiphers();
+        return new DefaultTlsContext(sslContext, acceptedCiphers.isEmpty() ? TlsContext.ALLOWED_CIPHER_SUITES : new HashSet<>(acceptedCiphers));
     }
 
     // Wrapped methods from TlsContext
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
index eb06cdb96c9..f27614a0ec3 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java
@@ -15,7 +15,6 @@ import javax.security.auth.x500.X500Principal;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
-import java.util.Set;
 
 import static com.yahoo.security.KeyAlgorithm.EC;
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
@@ -47,7 +46,7 @@ public class DefaultTlsContextTest {
                                 singletonList(new RequiredPeerCredential(RequiredPeerCredential.Field.CN, new HostGlobPattern("dummy"))))));
 
         DefaultTlsContext tlsContext =
-                new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE, Set.of());
+                new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE);
 
         SSLEngine sslEngine = tlsContext.createSslEngine();
         assertThat(sslEngine).isNotNull();
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-07-02 15:14:27 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-07-03 15:14:05 +0200
commit	76f07e1fdafcda1bcf1c178b2fc8d32b30d9b681 (patch)
tree	e5f8e9cc6a3269cd9c4120fc637b1428524f30d5 /security-utils
parent	68d6d2452a134ae73b579a8726899240bd22d7c6 (diff)